By SP1
Hi, I am facing a very peculiar problem. Fail2Ban in Plesk is banning Cloudflare/Digital Ocean IPs due to which the website went down.
- Is there a way to unban all the Digital Ocean IPs in F2B? And which all are Digital Ocean server IPs how to find that?
Also, Error Logs in Plesk is Showing Digital Ocean IPs as errors. Probably they are getting masked, I remember I did a process in DO where all masked IP addresses started showing the originating IPs in the previous server. Cannot find that online document.
- Can someone help me with how to unmask these IPS in plesk so that error logs show original IPs and not Digital Ocean IPs.
(We use CloudFlare as well)
Thanks.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Heya,
Fail2Ban allows you to whitelist specific IPs or IP ranges using its ignoreip setting.
Edit the Fail2Ban configuration file to whitelist Cloudflare and DigitalOcean IPs.
- Open the Fail2Ban
jail.localfile:
sudo nano /etc/fail2ban/jail.local
- Add the IP ranges to the
ignoreipline:
[DEFAULT]
ignoreip = 127.0.0.1/8 10.0.0.0/8 <cloudflare_ips> <digitalocean_ips>
Replace <cloudflare_ips> and <digitalocean_ips> with the IP ranges then save the file and restart fail2ban
sudo systemctl restart fail2ban
Show Real IPs (Unmask IPs) in Plesk Logs
When using Cloudflare or other proxies, the visitor’s real IP gets masked by Cloudflare’s IP. To fix this, you need to configure Plesk and your web server to show the original IPs.
Step 1: Use Cloudflare’s Real IP Module for Nginx or Apache
For Nginx:
- Install the
ngx_http_realip_module:
sudo apt install nginx-extras
Configure Nginx to trust Cloudflare IPs:
- Open the Nginx configuration file
sudo nano /etc/nginx/nginx.conf
Add the following lines to the http block:
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
real_ip_header CF-Connecting-IP;
Replace the IP ranges with Cloudflare’s list.
sudo systemctl restart nginx
Configure Plesk to Show Real IPs
Plesk needs to use the X-Forwarded-For or CF-Connecting-IP headers for logging the real IPs.
-
Go to Plesk Control Panel:
- Navigate to Tools & Settings > Apache & Nginx Settings.
- Enable Proxy Mode and Use the real IP address.
-
Apply the changes and restart the web server.
Heya, @sp1
On top of what’s already been mentioned, you can modify Fail2Ban filters to exclude Cloudflare or DigitalOcean IP ranges. For example, update /etc/fail2ban/filter.d/nginx-http-auth.conf:
failregex = ^<HOST> -.*"(GET|POST|HEAD).*HTTP/1.1".*$ ignoreregex = <IP_RANGES_TO_IGNORE>
Additionally If you’re using Cloudflare, set up firewall rules to block malicious traffic before it reaches your server. For example:
- Allow only specific countries.
- Block IPs with high request rates.
Hope that this helps!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.